1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
|
# frozen_string_literal: true
require "abstract_unit"
require "ipaddr"
class HostAuthorizationTest < ActionDispatch::IntegrationTest
App = -> env { [200, {}, %w(Success)] }
test "blocks requests to unallowed host" do
@app = ActionDispatch::HostAuthorization.new(App, %w(only.com))
get "/"
assert_response :forbidden
assert_match "Blocked host: www.example.com", response.body
end
test "passes all requests to if the whitelist is empty" do
@app = ActionDispatch::HostAuthorization.new(App, nil)
get "/"
assert_response :ok
assert_equal "Success", body
end
test "passes requests to allowed host" do
@app = ActionDispatch::HostAuthorization.new(App, %w(www.example.com))
get "/"
assert_response :ok
assert_equal "Success", body
end
test "the whitelist could be a single element" do
@app = ActionDispatch::HostAuthorization.new(App, "www.example.com")
get "/"
assert_response :ok
assert_equal "Success", body
end
test "passes requests to allowed hosts with domain name notation" do
@app = ActionDispatch::HostAuthorization.new(App, ".example.com")
get "/"
assert_response :ok
assert_equal "Success", body
end
test "does not allow domain name notation in the HOST header itself" do
@app = ActionDispatch::HostAuthorization.new(App, ".example.com")
get "/", env: {
"HOST" => ".example.com",
}
assert_response :forbidden
assert_match "Blocked host: .example.com", response.body
end
test "checks for requests with #=== to support wider range of host checks" do
@app = ActionDispatch::HostAuthorization.new(App, [-> input { input == "www.example.com" }])
get "/"
assert_response :ok
assert_equal "Success", body
end
test "mark the host when authorized" do
@app = ActionDispatch::HostAuthorization.new(App, ".example.com")
get "/"
assert_equal "www.example.com", request.get_header("action_dispatch.authorized_host")
end
test "sanitizes regular expressions to prevent accidental matches" do
@app = ActionDispatch::HostAuthorization.new(App, [/w.example.co/])
get "/"
assert_response :forbidden
assert_match "Blocked host: www.example.com", response.body
end
test "blocks requests to unallowed host supporting custom responses" do
@app = ActionDispatch::HostAuthorization.new(App, ["w.example.co"], -> env do
[401, {}, %w(Custom)]
end)
get "/"
assert_response :unauthorized
assert_equal "Custom", body
end
test "blocks requests with spoofed X-FORWARDED-HOST" do
@app = ActionDispatch::HostAuthorization.new(App, [IPAddr.new("127.0.0.1")])
get "/", env: {
"HTTP_X_FORWARDED_HOST" => "127.0.0.1",
"HOST" => "www.example.com",
}
assert_response :forbidden
assert_match "Blocked host: 127.0.0.1", response.body
end
test "does not consider IP addresses in X-FORWARDED-HOST spoofed when disabled" do
@app = ActionDispatch::HostAuthorization.new(App, nil)
get "/", env: {
"HTTP_X_FORWARDED_HOST" => "127.0.0.1",
"HOST" => "www.example.com",
}
assert_response :ok
assert_equal "Success", body
end
test "detects localhost domain spoofing" do
@app = ActionDispatch::HostAuthorization.new(App, "localhost")
get "/", env: {
"HTTP_X_FORWARDED_HOST" => "localhost",
"HOST" => "www.example.com",
}
assert_response :forbidden
assert_match "Blocked host: localhost", response.body
end
test "forwarded hosts should be permitted" do
@app = ActionDispatch::HostAuthorization.new(App, "domain.com")
get "/", env: {
"HTTP_X_FORWARDED_HOST" => "sub.domain.com",
"HOST" => "domain.com",
}
assert_response :forbidden
assert_match "Blocked host: sub.domain.com", response.body
end
test "forwarded hosts are allowed when permitted" do
@app = ActionDispatch::HostAuthorization.new(App, ".domain.com")
get "/", env: {
"HTTP_X_FORWARDED_HOST" => "sub.domain.com",
"HOST" => "domain.com",
}
assert_response :ok
assert_equal "Success", body
end
end
|